Oscorp is the new banking trojan that has appeared in the world of Android bankers at the beginning of 2021.
As we already told you about in our 2020 malware summary, in the past year we were able to observe an increase in the detection of banking malware for mobile devices, not only in terms of the number of campaigns, but also in terms of the new families that were detected.
Following the trend of an increase in banking threats on mobile devices, we've seen two new unknown families appear as soon as this new year began, namely Oscorp and Toddler.
In this case we've talked about Oscorp, a family that's new but that doesn't include any significant developments with regard to the families we are already familiar with.
As we've been able to see, credential theft continues to be carried out through accessibility services that abuse their permissions to log accessibility events (similar to keylogging on desktop systems) or to detect the launch of any legitimate applications and show an overlay with the web injection with the phishing form.
However, it does incorporate something that's less common, which is the direct theft of money, in this case cryptocurrency.
Oscorp abuses accessibility permissions to detect events that occur in a specific wallet application, to determine the available balance of different cryptocurrencies, and ultimately tries to send the cryptocurrency to the attacker's Bitcoin address.
This is a good way to increase the attacker's chances of success in the event the user doesn't use any of the affected banking applications.
Among this malware's code we've also found the ability to steal the two-factor authentication codes stored in the Google Authenticator application.
This is one of the functionalities that seems to be gaining popularity, while the popularity of this type of application that acts as managers of the authentication codes is also increasing.
It is a complement to the theft of text messages, since most banks require some kind of authorization to log into the bank account or carry out transactions, meaning the theft of SMS messages and Google Authenticator authorization codes provides attackers with most of the tools they need to ultimately be successful in stealing money.
In short, we need to be on the lookout for new families and campaigns of banking malware for mobile devices because, as we've already seen, the detection of new families and campaigns is on the rise. We must be prepared to protect our users from the latest techniques for stealing credentials and, ultimately, their money.